HealthEquity, a health technology company, disclosed in a filing with federal regulators Tuesday that it suffered a data breach in which hackers stole some customers’ “protected health information.”
In 8-K filing with the Securities and Exchange CommissionThe company said it detected “unusual behavior from a business partner’s personal-use device,” and concluded that the partner’s account had been compromised by someone who then used the account to access member information.
On Wednesday, HealthEquity revealed more details about the incident to TechCrunch. HealthEquity spokeswoman Amy Cerny said in an email that it was an “isolated incident” that was not related to other recent breaches, such as the breach at Change Healthcare, which is owned by healthcare giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty told a House hearing that the breach affected “probably a third” of all Americans.
HealthEquity discovered the breach on March 25, when it “took immediate action, resolved the issue, and began a full-scale data investigation, which was completed on June 10.” The company assembled “a team of external and internal experts to investigate and prepare for a response.” The investigation determined that the breach was caused by a compromised external vendor account gaining access to “certain HealthEquity SharePoint data,” according to Cerny.
call us
Do you have more information about this HealthEquity breach? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.
Share point It is a suite of Microsoft tools that allow businesses to create websites, as well as store and share internal information – essentially an intranet.
Cerny also said that “transactional systems, where integrations occur, were not affected,” and that the company is notifying partners, customers and members, and working with law enforcement as well as experts to work on preventing future incidents.
TechCrunch asked Cerny to specify what personal information and protected health information was stolen in the breach, how many people were affected and which partner was involved. Cerny declined to answer all of these questions.
Earlier this year, HealthEquity Reported The Company and its subsidiaries “manage health savings accounts and other community development accounts for our more than 15 million accounts in partnership with employers, benefits consultants, and health care and retirement plan providers.”